[SCM] Quake 3 engine branch, master, updated. debian/1.36+svn2224-4

Simon McVittie smcv at debian.org
Fri Jun 15 08:13:16 UTC 2012 

The following commit has been merged in the master branch:
commit 0f45099aeece8bcd840ba56111f4e5f73a8a0ed5
Author: Simon McVittie <smcv at debian.org>
Date:   Wed Jun 13 20:15:59 2012 +0100

    Fix CVE-2012-3345
    
    * Fix symlink attack in /tmp by moving pid file into the user-specific
      directory ~/.q3a, ~/.openarena etc. (CVE-2012-3345)
    * As a precaution, remove Sys_TempPath() altogether, so that any
      other unsafe usage will fail

diff --git a/debian/changelog b/debian/changelog
index 06b59c2..60ce9a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ioquake3 (1.36+svn2224-4) unstable; urgency=high
+
+  * Fix symlink attack in /tmp by moving pid file into the user-specific
+    directory ~/.q3a, ~/.openarena etc. (CVE-2012-3345)
+  * As a precaution, remove Sys_TempPath() altogether, so that any
+    other unsafe usage will fail
+
+ -- Simon McVittie <smcv at debian.org>  Wed, 13 Jun 2012 20:13:45 +0100
+
 ioquake3 (1.36+svn2224-3) unstable; urgency=low
 
   * Merge from experimental
diff --git a/debian/patches/0011-CVE-2012-3345-write-ioq3.pid-to-home-path-not-temp-d.patch b/debian/patches/0011-CVE-2012-3345-write-ioq3.pid-to-home-path-not-temp-d.patch
new file mode 100644
index 0000000..307d1f6
--- /dev/null
+++ b/debian/patches/0011-CVE-2012-3345-write-ioq3.pid-to-home-path-not-temp-d.patch
@@ -0,0 +1,37 @@
+From 443bdd8c3d6c92a0ad2d5f6da0aaead992e50f0d Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv at debian.org>
+Date: Mon, 11 Jun 2012 10:55:33 +0100
+Subject: [PATCH 1/2] CVE-2012-3345: write ioq3.pid to home path, not temp
+ directory
+
+On a multi-user system, an attacker could create a symbolic link
+/tmp/ioq3.pid pointing to any file owned by a user who plays an
+ioquake3-based game. When the victim runs ioquake3, the target file
+will be overwritten and replaced with the process ID of ioquake3.
+
+To avoid this, write the pid to the home path (e.g. ~/.q3a on Unix).
+
+Signed-off-by: Simon McVittie <smcv at debian.org>
+Forwarded: yes, likely to be upstream r2253
+Reviewed-by: Ludwig Nussel <ludwig.nussel at suse.de>
+Reviewed-by: Zack Middleton <zturtleman gmail com>
+---
+ code/sys/sys_main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/code/sys/sys_main.c b/code/sys/sys_main.c
+index ed00b65..dae8e8f 100644
+--- a/code/sys/sys_main.c
++++ b/code/sys/sys_main.c
+@@ -140,7 +140,7 @@ Sys_PIDFileName
+ */
+ static char *Sys_PIDFileName( void )
+ {
+-	return va( "%s/%s", Sys_TempPath( ), PID_FILENAME );
++	return va( "%s/%s", Sys_DefaultHomePath( ), PID_FILENAME );
+ }
+ 
+ /*
+-- 
+1.7.10
+
diff --git a/debian/patches/0012-CVE-2012-3345-remove-Sys_TempPath-altogether-to-avoi.patch b/debian/patches/0012-CVE-2012-3345-remove-Sys_TempPath-altogether-to-avoi.patch
new file mode 100644
index 0000000..8c824af
--- /dev/null
+++ b/debian/patches/0012-CVE-2012-3345-remove-Sys_TempPath-altogether-to-avoi.patch
@@ -0,0 +1,124 @@
+From 6da2182c852b9ea685aff8d4925abd94aa1400cd Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv at debian.org>
+Date: Mon, 11 Jun 2012 10:56:33 +0100
+Subject: [PATCH 2/2] CVE-2012-3345: remove Sys_TempPath() altogether, to
+ avoid misuse
+
+Writing to a predictable filename in /tmp is not safe.
+
+Signed-off-by: Simon McVittie <smcv at debian.org>
+Forwarded: yes, likely to be upstream r2254
+Reviewed-by: Ludwig Nussel <ludwig.nussel at suse.de>
+Reviewed-by: Zack Middleton <zturtleman gmail com>
+---
+ code/qcommon/qcommon.h |    1 -
+ code/sys/sys_osx.m     |   22 ----------------------
+ code/sys/sys_unix.c    |   17 -----------------
+ code/sys/sys_win32.c   |   18 ------------------
+ 4 files changed, 58 deletions(-)
+
+diff --git a/code/qcommon/qcommon.h b/code/qcommon/qcommon.h
+index 8d36231..389c4f1 100644
+--- a/code/qcommon/qcommon.h
++++ b/code/qcommon/qcommon.h
+@@ -1120,7 +1120,6 @@ char    *Sys_DefaultAppPath(void);
+ 
+ void  Sys_SetDefaultHomePath(const char *path);
+ char	*Sys_DefaultHomePath(void);
+-const char	*Sys_TempPath(void);
+ const char *Sys_Dirname( char *path );
+ const char *Sys_Basename( char *path );
+ char *Sys_ConsoleInput(void);
+diff --git a/code/sys/sys_osx.m b/code/sys/sys_osx.m
+index a26d8a2..30bf932 100644
+--- a/code/sys/sys_osx.m
++++ b/code/sys/sys_osx.m
+@@ -35,28 +35,6 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ #import <Cocoa/Cocoa.h>
+ 
+ /*
+-================
+-Sys_TempPath
+-================
+-*/
+-const char *Sys_TempPath( void )
+-{
+-	static UInt8 posixPath[ MAX_OSPATH ];
+-	FSRef ref;
+-	if( FSFindFolder( kOnAppropriateDisk,
+-				kTemporaryFolderType, kCreateFolder, &ref ) == noErr )
+-	{
+-		if( FSRefMakePath( &ref, posixPath,
+-					sizeof( posixPath ) - 1 ) == noErr )
+-		{
+-			return (const char *)posixPath;
+-		}
+-	}
+-
+-	return "/tmp";
+-}
+-
+-/*
+ ==============
+ Sys_Dialog
+ 
+diff --git a/code/sys/sys_unix.c b/code/sys/sys_unix.c
+index e88465d..a60b086 100644
+--- a/code/sys/sys_unix.c
++++ b/code/sys/sys_unix.c
+@@ -78,23 +78,6 @@ char *Sys_DefaultHomePath(void)
+ 	return homePath;
+ }
+ 
+-#ifndef MACOS_X
+-/*
+-================
+-Sys_TempPath
+-================
+-*/
+-const char *Sys_TempPath( void )
+-{
+-	const char *TMPDIR = getenv( "TMPDIR" );
+-
+-	if( TMPDIR == NULL || TMPDIR[ 0 ] == '\0' )
+-		return "/tmp";
+-	else
+-		return TMPDIR;
+-}
+-#endif
+-
+ /*
+ ================
+ Sys_Milliseconds
+diff --git a/code/sys/sys_win32.c b/code/sys/sys_win32.c
+index 241fc92..58fd9ab 100644
+--- a/code/sys/sys_win32.c
++++ b/code/sys/sys_win32.c
+@@ -129,24 +129,6 @@ char *Sys_DefaultHomePath( void )
+ 
+ /*
+ ================
+-Sys_TempPath
+-================
+-*/
+-const char *Sys_TempPath( void )
+-{
+-	static TCHAR path[ MAX_PATH ];
+-	DWORD length;
+-
+-	length = GetTempPath( sizeof( path ), path );
+-
+-	if( length > sizeof( path ) || length == 0 )
+-		return Sys_DefaultHomePath( );
+-	else
+-		return path;
+-}
+-
+-/*
+-================
+ Sys_Milliseconds
+ ================
+ */
+-- 
+1.7.10
+
diff --git a/debian/patches/series b/debian/patches/series
index d4c2eb4..7066512 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,5 @@
 0008-Let-servers-set-sv_fps-too.patch
 0009-FS_GamePureChecksum-remove-never-called.patch
 0010-Do-not-reference-a-pak-file-just-because-it-contains.patch
+0011-CVE-2012-3345-write-ioq3.pid-to-home-path-not-temp-d.patch
+0012-CVE-2012-3345-remove-Sys_TempPath-altogether-to-avoi.patch

-- 
Quake 3 engine

More information about the Pkg-games-commits mailing list